| main | DNS | Repo |
| Knowledge Base| Install | Test&Debug | Dynamic Updates & RNDC | Attack Vectors & Scenario | Protection |
- we will install our dns on Debian
- its a stable distro for networking
- its my proxmox-machine so i thought it would make sense not to outsource my dns and dhcp and i use the proxmox machine for my networking and virtualisation stuff anyway.
- DO NOT EXPOSE PORT 53 UNLESS YOU KNOW WHAT YOU ARE DOING AND HAVE PROPPER
ACLCONFIGURED!
- this will probably flood your server with public DNS-request and might break it
- to avoid unnecessary traffic, we set
recursion no;in/etc/bind/named.conf.options- in our Example we use
dynamic updatewithout configuring clients specifically since this is a private DNS
- hence we set
allow-query { any; };in the zones we configure in/etc/bind/named.conf.local
$ ip a
... 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UP group default qlen 1000 link/ether 52:54:00:56:9e:57 brd ff:ff:ff:ff:ff:ff 3: enp9s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 74:d0:2b:9d:49:43 brd ff:ff:ff:ff:ff:ff 4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 52:54:00:56:9e:57 brd ff:ff:ff:ff:ff:ff inet 192.168.122.7/24 scope global vmbr0 valid_lft forever preferred_lft forever inet6 fe80::5054:ff:fe56:9e57/64 scope link valid_lft forever preferred_lft foreverin my case the ip of the DNS-machine is
192.168.122.7since it’s using thevmbr0 Network Bridgefor virtualisation
############################################################################################################ # /etc/resolv.conf ############################################################################################################# # Generated by NetworkManager search speedport.ip nameserver 192.168.122.7 # <----- THE IP OF OUR DNS nameserver 2a02:3032:317:1192::92 nameserver 192.168.2.1 nameserver 192.168.61.86 # NOTE: the libc resolver may not support more than 3 nameservers. # The nameservers listed below may not be recognized. nameserver fe80::1%enp2s0this file will be constantly get resetted by NetworkManager, so we will need to add our Ip again later, but i wanted to explain this before we start the actual DNS-installation
## Install Bind9
$ sudo apt-get install bind9 bind9utils bind9-doc
$ systemctl enable bind9
$ sudo systemctl enable named
in our case we want to resolve
foreman.deto the ip192.168.122.20
- the ip is the one of my vm that runs foreman (i need dns because of smartproxy and external dhcp)
named.conf.options file############################################################################################################ # /etc/bind/named.conf.options ############################################################################################################# acl local-lan { localhost; 192.168.1.0/24; 192.168.122.0/24; # Netzwork for vmbr0 192.168.123.0/24; # additional Networks }; options { directory "/var/cache/bind"; forwarders { 192.168.61.86; # the DNS my phone uses 192.168.2.1; # the DNS of my NIC }; allow-query { local-lan; }; # Erlaubt Anfragen nur von den in local-lan definierten Netzwerken dnssec-validation auto; auth-nxdomain no; // conform to RFC1035 listen-on-v6 { any; }; recursion no; // we set that to no to avoid unnecessary traffic querylog yes; // Enable for debugging version "not available"; // Disable for security };
nano /etc/bind/named.conf.local
############################################################################################################ # /etc/bind/named.conf.local ############################################################################################################# //include "/etc/bind/zones.rfc1918"; zone "foreman.de" IN { type master; file "/etc/bind/zones/foreman.de"; allow-query { any; }; # allow-update { any; }; }; zone "0.116.10.in-addr.arpa" IN { type master; file "/etc/bind/zones/foreman.de.rev"; allow-query { any; }; # allow-update { any; }; };
$ cp /etc/bind/db.local /etc/bind/zones/foreman.de
$ cp /etc/bind/db.127 /etc/bind/zones/foreman.de.rev
/etc/bind/zones/foreman.de:
############################################################################################################ # /etc/bind/zones/foreman.de ############################################################################################################# ; ; BIND data file for local loopback interface ; $TTL 604800 @ IN SOA foreman.de. root.foreman.de. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS bindserver.foreman.de. ; A record for name server bindserver IN A 192.168.122.20 @ IN NS localhost. @ IN A 192.168.122.20 @ IN AAAA ::1
/etc/bind/zones/foreman.de.rev############################################################################################################ # /etc/bind/zones/foreman.de.rev ############################################################################################################# ; ; BIND reverse data file for local loopback interface ; $TTL 604800 @ IN SOA foreman.de. root.foreman.de. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; ; Name server record @ IN NS bindserver.foreman.de. ; A record for name server bindserver IN A 192.168.122.20 20.122.168.192.in-addr.arpa. IN PTR foreman.de. @ IN NS localhost. 1.0.0 IN PTR localhost.
restart/refresh DNS
$ named-checkzone foreman.de /etc/bind/zones/foreman.de
$ named-checkzone foreman.de /etc/bind/zones/foreman.de.rev
$ named-checkconf /etc/bind/named.conf.options
$ named-checkconf
$ sudo systemctl restart bind9
| Knowledge Base | Install | Test&Debug | Dynamic Updates & RNDC | Attack Vectors & Scenario | Protection |